The Irish Data Protection Authority has fined Meta €91 million for storing passwords in plain text

The Irish Data Protection Commission (DPC) has fined Meta €91 million following an investigation into a security breach in 2019. It was discovered that Meta had incorrectly stored user passwords in plain text, allowing thousands of employees to access them internally.

The passwords have been stored in plain text on Meta’s servers since 2012. According to the DPC, more than 20,000 company employees were able to search the passwords. Although the passwords were not accessible to third parties, the DPC concluded that Meta had violated several rules of the GDPR.

Investigations and violations

The vulnerability became known in January 2019 when Meta revealed that some user passwords were stored in plain text on its servers. A month later, it emerged that millions of Instagram passwords had also been stored incorrectly. Meta did not specify at the time how many accounts were involved in the incident. An internal source at the company stated that up to 600 million passwords could be stored in plain text, according to Engadget.

The DPC stated that Meta failed to report the data breach in a timely manner and that the company did not take appropriate technical measures to ensure the security of users’ passwords. Additionally, there was a lack of proper documentation of the incident, which is also a violation of the GDPR.

Consequences for Meta

In addition to the fine, Meta also received an official reprimand from the DPC. What exactly this means for the company will become clear later when the DPC’s full decision is published. However, the €91 million fine underlines the seriousness of the violations and the responsibility of companies like Meta to properly protect user data.